From d76e980bbd3d66a8e4e85a7cc7038080b65b537b Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 13 Feb 2022 20:01:18 +0200 Subject: [PATCH 01/11] extract MicrosoftSecurityProductName to enum --- .../2021-10-01-preview/AlertRules.json | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 285804f4a0bf..8e2544807ca6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1407,21 +1407,8 @@ "type": "array" }, "productFilter": { - "description": "The alerts' productName on which the cases will be generated", - "enum": [ - "Microsoft Cloud App Security", - "Azure Security Center", - "Azure Advanced Threat Protection", - "Azure Active Directory Identity Protection", - "Azure Security Center for IoT", - "Office 365 Advanced Threat Protection", - "Microsoft Defender Advanced Threat Protection" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "MicrosoftSecurityProductName" - } + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" }, "severitiesFilter": { "description": "the alerts' severities on which the cases will be generated", @@ -1436,6 +1423,23 @@ ], "type": "object" }, + "MicrosoftSecurityProductName": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, "MicrosoftSecurityIncidentCreationAlertRuleProperties": { "allOf": [ { From 7011c04a91634a37ec0640a8ae868b30b4c24f3e Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 13 Feb 2022 20:05:12 +0200 Subject: [PATCH 02/11] extract AlertRuleTemplateStatus to enum --- .../2021-10-01-preview/AlertRules.json | 54 ++++++++++--------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 8e2544807ca6..788350607daa 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -705,35 +705,39 @@ "type": "array" }, "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status." } }, "type": "object" }, + "AlertRuleTemplateStatus": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + }, "AlertRuleTemplateWithMitreProperties": { "allOf": [ { From 52f2a39735749615774443fa2ef3294a1775265a Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 09:16:33 +0200 Subject: [PATCH 03/11] define FusionAlertRuleTemplateProperties --- .../2021-10-01-preview/AlertRules.json | 58 ++++++++++--------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 788350607daa..4f880b8150f9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1168,41 +1168,43 @@ "description": "Represents Fusion alert rule template.", "properties": { "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplateWithMitreProperties" - } - ], + "$ref": "#/definitions/FusionAlertRuleTemplateProperties", "description": "Fusion alert rule template properties", - "properties": { - "severity": { - "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", - "description": "The severity for alerts created by this alert rule." - }, - "sourceSettings": { - "description": "All supported source signal configurations consumed in fusion detection.", - "items": { - "$ref": "#/definitions/FusionTemplateSourceSetting" - }, - "x-ms-identifiers": [], - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "sourceSettings", - "alertRulesCreatedByTemplateCount" - ], - "type": "object", "x-ms-client-flatten": true } }, "type": "object", "x-ms-discriminator-value": "Fusion" }, + "FusionAlertRuleTemplateProperties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplateWithMitreProperties" + } + ], + "description": "Fusion alert rule template properties", + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "sourceSettings": { + "description": "All supported source signal configurations consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionTemplateSourceSetting" + }, + "x-ms-identifiers": [], + "type": "array" + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "sourceSettings", + "alertRulesCreatedByTemplateCount" + ], + "type": "object" + }, "FusionTemplateSourceSetting": { "description": "Represents a source signal consumed in Fusion detection.", "properties": { From a62cf05f70581f50677fb70a8bc26b86667be5e1 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 09:25:04 +0200 Subject: [PATCH 04/11] add back nested properties --- .../2021-10-01-preview/AlertRules.json | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 4f880b8150f9..eb32f98766b1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1183,17 +1183,19 @@ } ], "description": "Fusion alert rule template properties", - "severity": { - "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", - "description": "The severity for alerts created by this alert rule." - }, - "sourceSettings": { - "description": "All supported source signal configurations consumed in fusion detection.", - "items": { - "$ref": "#/definitions/FusionTemplateSourceSetting" + "properties": { + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." }, - "x-ms-identifiers": [], - "type": "array" + "sourceSettings": { + "description": "All supported source signal configurations consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionTemplateSourceSetting" + }, + "x-ms-identifiers": [], + "type": "array" + } }, "required": [ "displayName", From 51c68aa55b79410da58292ed9176dcdbe2e8cb0f Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 09:57:10 +0200 Subject: [PATCH 05/11] add flatten to mitre and fusion properties objects --- .../preview/2021-10-01-preview/AlertRules.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index eb32f98766b1..09831ddb448d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -761,7 +761,8 @@ "type": "array" } }, - "type": "object" + "type": "object", + "x-ms-client-flatten": true }, "QueryBasedAlertRuleTemplateProperties": { "description": "Query based alert rule template base property bag.", @@ -1205,7 +1206,8 @@ "sourceSettings", "alertRulesCreatedByTemplateCount" ], - "type": "object" + "type": "object", + "x-ms-client-flatten": true }, "FusionTemplateSourceSetting": { "description": "Represents a source signal consumed in Fusion detection.", From e5d70f641598bd71711e77b51ae20da6e595b416 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 10:22:34 +0200 Subject: [PATCH 06/11] change position of required --- .../2021-10-01-preview/AlertRules.json | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 09831ddb448d..f9dca4d433ed 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -761,8 +761,7 @@ "type": "array" } }, - "type": "object", - "x-ms-client-flatten": true + "type": "object" }, "QueryBasedAlertRuleTemplateProperties": { "description": "Query based alert rule template base property bag.", @@ -1171,6 +1170,14 @@ "properties": { "$ref": "#/definitions/FusionAlertRuleTemplateProperties", "description": "Fusion alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "severity", + "sourceSettings", + "alertRulesCreatedByTemplateCount" + ], "x-ms-client-flatten": true } }, @@ -1198,14 +1205,6 @@ "type": "array" } }, - "required": [ - "displayName", - "description", - "status", - "severity", - "sourceSettings", - "alertRulesCreatedByTemplateCount" - ], "type": "object", "x-ms-client-flatten": true }, From 283d4b59ac1aacef874cfdba6c83e390a23c01d6 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 10:55:11 +0200 Subject: [PATCH 07/11] define MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties --- .../2021-10-01-preview/AlertRules.json | 48 +++++++++++++++---- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index f9dca4d433ed..703babc10ad5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1496,14 +1496,7 @@ "description": "Represents MicrosoftSecurityIncidentCreation rule template.", "properties": { "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - }, - { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" - } - ], + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties", "description": "MicrosoftSecurityIncidentCreation rule template properties", "required": [ "displayName", @@ -1519,6 +1512,45 @@ "type": "object", "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, "QueryBasedAlertRuleProperties": { "description": "Query based alert rule base property bag.", "properties": { From 862e5b3bf49e154b1b85fc3f2c1e39b462121ab6 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 11:01:46 +0200 Subject: [PATCH 08/11] align required + add flatten --- .../preview/2021-10-01-preview/AlertRules.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 703babc10ad5..19f7d62d6ead 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1546,10 +1546,8 @@ "type": "array" } }, - "required": [ - "productFilter" - ], - "type": "object" + "type": "object", + "x-ms-client-flatten": true }, "QueryBasedAlertRuleProperties": { "description": "Query based alert rule base property bag.", From 2f25af37894fca097038416ed04ebbce9595b359 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 11:05:35 +0200 Subject: [PATCH 09/11] fix AlertSeverity ref --- .../preview/2021-10-01-preview/AlertRules.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 19f7d62d6ead..b1eaa14e65dd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1541,7 +1541,7 @@ "severitiesFilter": { "description": "the alerts' severities on which the cases will be generated", "items": { - "$ref": "#/definitions/AlertSeverity" + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum" }, "type": "array" } From abaddacb81424f07fa62d4d045e2035eb4401396 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 11:10:49 +0200 Subject: [PATCH 10/11] align type to avoid breaking change --- .../preview/2021-10-01-preview/AlertRules.json | 1 - 1 file changed, 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index b1eaa14e65dd..be1a6c6db79d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1546,7 +1546,6 @@ "type": "array" } }, - "type": "object", "x-ms-client-flatten": true }, "QueryBasedAlertRuleProperties": { From c2600c0f940891306c9c41859e53123b9364c577 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Mon, 14 Feb 2022 12:11:25 +0200 Subject: [PATCH 11/11] add type for MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties --- .../preview/2021-10-01-preview/AlertRules.json | 1 + 1 file changed, 1 insertion(+) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index be1a6c6db79d..b1eaa14e65dd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -1546,6 +1546,7 @@ "type": "array" } }, + "type": "object", "x-ms-client-flatten": true }, "QueryBasedAlertRuleProperties": {